Glossary

Hash DoS Attack

A Hash Denial of Service (DoS) attack is a specialized type of exploit that takes advantage of a specific “hashing algorithm” that’s in common use across many software libraries, programming languages, and applications. When the attack is launched, it sends a specific type of command to the software service which ties it up processing large amounts of complex data. This results in a lack of capacity to process legitimate requests, effectively shutting the service down.

A hash DOS attack takes advantage of “hash tables” and “hash collisions” to exhaust computing resources in a targeted system. Discovered in 2003, the hash DOS vulnerability impacts many programming languages, although vendors and developers have largely mitigated the problem with patches and updates. A partial list of affected programming languages and platforms includes:

Apache Tomcat – 5.5.34 and prior, 6.0.34 and prior, 7.0.22 and prior

Java – all versions

JRuby – 1.6.5 and prior

Microsoft ASP.NET – all versions (if unpatched with MS11-100)

PHP – 5.3.8 and prior, 5.4.0RC3 and prior

Python – 3.3.0 and prior (inadequate fix in 2.7.3 and 3.2.3)

Ruby – 1.8.7-p356 and prior

The attack works by sending a large, malformed request to a web server or application and asking it to process multiple “dictionary lookups” on its hash tables. The malformed request deliberately contains many “hash collisions” where multiple lookups point to the same hash. These conflicts have to be specially managed by the server or application, and the sheer quantity means the platform exclusively uses its computing resources to sort out this issue.

This means there are no resources available to serve websites, functionality, applications, or other services to legitimate users. In most cases, hash DOS vulnerability risks can be reduced by updating to the latest version of a programming language or platform.